Web Search Plus
v2.9.2Unified search skill with Intelligent Auto-Routing. Uses multi-signal analysis to automatically select between Serper (Google), Tavily (Research), Querit (Mu...
⭐ 92· 19k·142 current·151 all-time
byRobby@robbyczgw-cla
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (multi-provider web search + auto-routing) align with the included Python scripts and docs. Required binaries (python3, bash) match the implementation. The environment variables listed in SKILL.md (provider API keys, KILOCODE_API_KEY, SEARXNG_INSTANCE_URL) directly correspond to the advertised providers and are justified.
Instruction Scope
SKILL.md instructs running scripts/setup.py and scripts/search.py and documents CLI flags; that matches the provided scripts. The runtime will read provider API keys from environment variables or a .env file and will cache results under .cache/ (or WSP_CACHE_DIR). Note: caching stores full query+results locally (including potential sensitive queries) and the code auto-loads a .env file found in the skill root — both expected for this tool but worth the operator's attention.
Install Mechanism
No install spec (instruction-only from OpenClaw perspective); code is bundled as plain Python scripts. No remote downloads or third‑party installers are invoked by the registry metadata. This is the lower-risk pattern for a script-based skill.
Credentials
The only environment variables referenced are provider API keys and an optional SEARXNG_INSTANCE_URL/WSP_CACHE_DIR — these map directly to the advertised providers and caching configuration. The SKILL.md marks keys optional and says only one provider key is needed; that is consistent with the code's fallback/skip behavior for unconfigured providers.
Persistence & Privilege
The skill is not forced-always, does not request elevated system privileges, and only writes to its own cache and provider_health files inside the skill directory (or to a user-specified WSP_CACHE_DIR). That is normal for a CLI-based aggregator and consistent with its purpose.
Assessment
This skill appears to do what it claims, but review a few practical points before installing:
- Cache: Search queries and provider results are stored in .cache/ by default (or WSP_CACHE_DIR). If you handle sensitive queries, either disable caching per-run, change the cache directory to a controlled location, or clear/secure the cache regularly.
- .env autoload: The script will auto-load a .env file from the skill root if present. Do not keep secrets in that file unless you intend the skill (or other local users) to access them. Prefer process-level environment variables or dedicated API accounts/limits.
- SearXNG usage: The skill can call a self-hosted SearXNG instance. Only point SEARXNG_INSTANCE_URL to instances you control or trust; avoid public instances that may log queries. The changelog mentions previous SSRF issues that were fixed — if you are running an older fork, verify the version includes the SSRF protections.
- Provider keys: Grant minimal-privilege / cost-limited provider API keys where possible. Using a single dedicated key/account for testing is safer than reusing high-privilege keys.
- Updates & provenance: The registry entry has no homepage and an unknown source. If you plan to rely on this in production, prefer obtaining the code from an authoritative repository (or verify the publisher) and keep it updated. If you need stronger assurance, audit the full search.py and setup.py files locally for any network calls beyond advertised provider endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97fpchxz8nwvbttczfg1a2b4x83pe4g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, bash